steve.langasek@canonical.com wrote:
Full_Name: Steve Langasek Version: 2.4.7 OS: Debian URL: http://people.ubuntu.com/~vorlon/gnutls-altname-nulterminated.patch Submission from: (NULL) (2001:4830:1244:0:219:d2ff:fe76:2acb)
When built with GnuTLS, libldap fails to correctly verify DNS hostnames against the subjectAltName field of the provided certificate. The reason for this is that, while the "length" that gnutls returns for the CN is equal to the strlen(), the length returned by gnutls_x509_crt_get_subject_alt_name() includes a trailing NUL.
I have verified that the referenced patch corrects this for the case of non-wildcard DNS subjectAltName values. I have not tested the code for the wildcarded case, though it seems likely that the same bug applies there and will need to be fixed.
I cannot duplicate this error with GnuTLS 1.7.8 or 1.7.9. The altname length that is returned just includes the non-NUL characters. Note that all of libldap's TLS functionality was tested and working with GnuTLS 1.7. What version are you using? It seems to me that if your version of GnuTLS is indeed behaving this way, then it's a GnuTLS bug, since in C, the length of a string never includes the trailing NUL.